ToeCutter Posted January 27, 2005 Share Posted January 27, 2005 On waking up and noticing the performance on my machine was poor I discovered this C:\WINDOWS\system32\spoolcll.exe running as a service "Event Monitor". You cant kill the process because it spawns another and the file is of course locked so you can't delete it. The best way to "switch it off" is to go into the services control panel, and set the service to disabled, then reboot. It listens on 3 TCP ports, one of which gets randomly re-assigned every so often, so filtering on ports may not help. Its just another scummy remote admin virus by the look of things and tftp's files from the remote system. I'm having a hack at it now, and will post more information as I find out more. Link to comment Share on other sites More sharing options...
taxexile Posted January 27, 2005 Share Posted January 27, 2005 toe cutter , have a look at this downloadable programme....procexp.exe Process Explorer for Windows 9x/NT/2000/XP/S2K3Copyright © 1998-2004 Mark Russinovich Sysinternals www.sysinternals.com Using Process Explorer ---------------------- Start procexp.exe from its home directory. Complete usage instructions are available in the on-line help file. See Sysinternals for more monitoring tools, including a Registry monitor. [email protected] Link to comment Share on other sites More sharing options...
RDN Posted January 27, 2005 Share Posted January 27, 2005 toe cutter , have a look at this downloadable programme....procexp.exeProcess Explorer for Windows 9x/NT/2000/XP/S2K3Copyright © 1998-2004 Mark Russinovich Sysinternals www.sysinternals.com Using Process Explorer ---------------------- Start procexp.exe from its home directory. Complete usage instructions are available in the on-line help file. See Sysinternals for more monitoring tools, including a Registry monitor. [email protected] <{POST_SNAPBACK}> Thanks Taxexile - so much better than Windows "Task Manager" and Norton's "Process Viewer". And I love that you can hover the mouse over the CPU usage trace and it tells you which process was using the CPU. Excellent! (Got any more like this? ) Link to comment Share on other sites More sharing options...
stumonster Posted January 28, 2005 Share Posted January 28, 2005 "A report on the Australian Whirlpool Forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'." thx slashdot http://it.slashdot.org/article.pl?sid=05/0...&tid=172&tid=95 Link to comment Share on other sites More sharing options...
ToeCutter Posted January 28, 2005 Author Share Posted January 28, 2005 Ah yes - I've already got process explorer - one of the best utilities in my toolbox I have to say - well done sysinternals I;ve reported the virus to trendmicro and had a look around at how this virus propagates. Early indications would seem to point at unsecured MySQL installations. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now